1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-11 10:01:57 +03:00

Remove sslverify parameter again, replacing it with two new sslmode values:

"verify-ca" and "verify-full".

Since "prefer" remains the default, this will make certificate validation
off by default, which should lead to less upgrade issues.
This commit is contained in:
Magnus Hagander
2009-04-24 09:43:10 +00:00
parent 420ea68817
commit e883d0b551
5 changed files with 89 additions and 102 deletions

View File

@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.123 2009/04/14 17:30:16 momjian Exp $
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.124 2009/04/24 09:43:10 mha Exp $
*
* NOTES
*
@ -523,7 +523,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
* If told not to verify the peer name, don't do it. Return
* 0 indicating that the verification was successful.
*/
if(strcmp(conn->sslverify, "cn") != 0)
if (strcmp(conn->sslmode, "verify-full") != 0)
return true;
if (conn->pghostaddr)
@ -987,9 +987,9 @@ initialize_SSL(PGconn *conn)
return -1;
/*
* If sslverify is set to anything other than "none", perform certificate
* verification. If set to "cn" we will also do further verifications after
* the connection has been completed.
* If sslmode is set to one of the verify options, perform certificate
* verification. If set to "verify-full" we will also do further
* verification after the connection has been completed.
*
* If we are going to look for either root certificate or CRL in the home directory,
* we need pqGetHomeDirectory() to succeed. In other cases, we don't need to
@ -999,7 +999,7 @@ initialize_SSL(PGconn *conn)
{
if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
{
if (strcmp(conn->sslverify, "none") != 0)
if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not get home directory to locate root certificate file"));
@ -1064,7 +1064,7 @@ initialize_SSL(PGconn *conn)
else
{
/* stat() failed; assume cert file doesn't exist */
if (strcmp(conn->sslverify, "none") != 0)
if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("root certificate file \"%s\" does not exist\n"